Information Disclosure Vulnerability in Microsoft Outlook Web Access for Exchange Server 5.5

A vulnerability exists in Microsoft OWA for Exchange Server 5.5. An attacker can make unauthorized or unauthenticated requests to reveal information (e.g., email aliases and addresses) stored in the Global Address List (GAL).

Ken Pfeil

September 9, 2001

1 Min Read
ITPro Today logo in a gray background | ITPro Today

Reported September 7, 2001, byMicrosoft.

VERSION AFFECTED

·        Microsoft Outlook Web Access (OWA) for Exchange Server 5.5

 

DESCRIPTION
Avulnerability exists in Microsoft OWA for Exchange Server 5.5. An attacker canmake unauthorized or unauthenticated requests to reveal information (e.g., emailaliases and addresses) stored in the Global Address List (GAL). Thisvulnerability results because a function in OWA that interrogates the GALdoesn't require authentication. Unauthenticated users can call the function andenumerate the mail addresses of users on the server.

 

VENDOR RESPONSE

Thevendor, Microsoft, has released securitybulletin MS01-047to address this vulnerability and recommends that affected users apply the patchthe vender provides.

 

CREDIT
Discoveredby NoamRathaus of SecuriTeam.

Read more about:

Microsoft
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like